Your Practice Made Perfect

This podcast series provides support, protection, and advice for today’s medical professionals. Brought to you by SVMIC, a mutual insurance company that is 100% owned and governed by our policyholders.

Mar. 09, 2018

Episode 006: HIPAA Know-How – Part 1

In this week’s episode we take a deep dive into the world of HIPAA compliance with Loretta Duncan of SVMIC. In Part 1 of our 2 part series, we cover rules, requirements, and restrictions as it relates to protecting privacy with health information.

Have a question about this podcast? Contact us.

  • Transcript

    Speaker 1: You are listening to Your Practice Made Perfect, support, protection, and advice for practicing medical professionals brought to you by SVMIC.


    Brian: Hello, and welcome to this edition of SVMIC's podcast. I'm Brian Fortenberry. Thanks for joining us. Today, we're going to do a deep dive into all things HIPAA related and get some great feedback from an expert in this field. I'd like to welcome to the show Loretta Duncan. Loretta, thanks for being here.


    Loretta: Oh, thank for having me, Brian. I love talking about HIPAA, so this is going to be fun.


    Brian: Then "I'm in the right place for a deep dive" is what you're saying.


    Loretta: Absolutely.


    Brian: Fantastic. Well before we even start discussing HIPAA and all of the interesting and intricate parts of it, tell us a little bit about yourself. Your background, your experience, and your time here at SVMIC.


    Loretta: Sure, sure. I have been with SVMIC going on 10 years. It'll be 10 years in March. I'm very excited about that. I actually started my career with HIPAA in 2002 before the Privacy Rule went into effect.


    Brian: Wow, okay.


    Loretta: Worked for the Arkansas Medical Society then as a practice management consultant, and that was my project. They just handed it to me and said, "Run with it," truthfully because no one else wanted it.


    Brian: I was about to say, was it your passion at that point or because it just kind of fell in your lap?


    Loretta: It fell in my lap and quickly became my passion.


    Brian: Perfect. Oh, well then you're the exact right person obviously to help us with this. To be honest with you, HIPAA can be kind of confusing. There's these rules and there's these requirements and restrictions, and certain things you have to do. It can be a bear on your back sometimes, so let's start at the very beginning. HIPAA: what is it and why do we have it?


    Loretta: Sure. Just a real simple, quick explanation of HIPAA is it is all about protecting the privacy and security of medical information referred to as "protected health information" or "PHI", which is what a lot of our practices are familiar hearing. It has, actually two rules: we have the HIPAA Privacy Rule, which is about how you use and disclose patient information.


    Brian: Okay.


    Loretta: Then we have the Security Rule that is about how we protect electronic information. That's all the Security Rule is concerned with. Predominantly, what we're going to talk about today has to do with how we use and disclose Protected Health Information because that seems to be where there is so much confusion. "What can I disclose?" "What can't I disclose?" "What am I going to get in trouble for disclosing?" Those types of things.


    Brian: That is the line that everyone seems to be walking constantly. I truly believe that most healthcare providers truly want to do the right thing, and their office [staff 00:02:55]-


    Loretta: Right.


    Brian: But it's "what is the right thing" that gets kind of tricky, and "how do I do it?" We're probably going to get into a lot of these questions of, "Can I do this? Can I not do this? Can I do this?" Some of the things we'll hit today will be the bigger things that you're hearing most often, but I think one of the things that I hear is about releasing of these records. What does it require? Does it require a patient's signed authorization?


    Loretta: This is probably the most confusing part of HIPAA, the one that I get the most questions about. I believe the problem with the disclosure of information from one treating provider to another is a level of fear on the healthcare provider's side is that, "Well if we don't have something signed in writing, is it a HIPAA violation?" The bottom line answer is HIPAA permits covered entities, so physician offices, to disclose information for treatment, payment, and healthcare operations purposes. When we are talking about a patient that is being seen by Dr. Jones, and Dr. Jones' office calls Dr. Smith and says, "We have Loretta Duncan here today in our office. Can you send us over her last clinic note?", there is no requirement by HIPAA to have me sign an authorization stating that's okay.


    Brian: Okay, so there's no requirement.


    Loretta: No.


    Brian: Now, some practices may do that anyway. There's just no requirement. Is that it?


    Loretta: HIPAA is really the floor of protection. You can be more stringent in your policies than HIPAA requires.


    Brian: Gotcha.


    Loretta: What I have found, especially in larger organizations: hospitals, multi-specialty clinics, they may feel like, "You know what? We need a policy that says 'this is what we're going to require before we release any information.'" They do that as a protection because maybe they don't feel comfortable giving that discernment to the individual in medical records.


    Brian: Gotcha.


    Loretta: But, I still think there needs to be some flexibility because it can slow down patient care. That is never what HIPAA intended. It has happened out of fear and a lack of understanding of the rule, but HIPAA never intended for information not to be shared for treatment purposes, but there have been a lot of roadblocks along the way.


    Brian: Yeah because I guess you can get caught up in that paperwork tornado, per se, of, "Well, we would love to do this but we ..." You always hear "prior authorization this, that, and the other." Then if it's a, "Well we haven't had a signed document that can release this information to you" and you're really needing the CT scan, whatever-


    Loretta: Right.


    Brian: Then that can be problematic and potentially cause greater risk, I guess, right?


    Loretta: I agree, and I think that is the point. What I try to do when I train our policyholders and their staff is remind them, patient care always comes first.


    Brian: Yeah, yes.


    Loretta: HIPAA can be right below it. If you are disclosing information for purposes that are in the best interest of that patient and for the care of that patient, even if there was a complaint filed, I still do not believe that the Office of Civil Rights, which is who enforces HIPAA violations, I do not see any reason why there would be a penalty or fine for doing what is in the best interest of the patient. Now, what I will say is if there is a disclosure that's being made that maybe the practice is unsure of but they still believe it's in the best interest of the patient-


    Brian: Yeah.


    Loretta: Document why you're doing it.


    Brian: That's a great point. I mean, as long as you have an explanation behind what you're doing-


    Loretta: Exactly.


    Brian: Like you said, and they know that it's going to be in the best interest of the patient to go ahead and get this service provided at that time, and that that could alleviate some other issues down the line, why not go ahead and do that? That would be, I would think, an easier case to argue than-


    Loretta: Absolutely.


    Brian: Just being haphazard.


    Loretta: Right. There have been extreme situations that have come across my desk where we've heard from a practice who actually referred a patient to a specialist and then couldn't get the report back without the patient going back into the office and signing an authorization form. That, to me, that's not what HIPAA intended.


    Brian: I love mind pictures. That's the way I think. When you say, "HIPAA is the floor," that means that is the minimum requirement.


    Loretta: Mm-hmm (affirmative).


    Brian: All of these other things that practices are putting on top of that, they just need to make probably sure that still all patient care focus and in the best interest of the patient.


    Loretta: Right, and try to develop policies and procedures based on what the requirements are, and not what this idea of HIPAA is or fear of "this is the way we're going to do it because we don't want to get in trouble." I think we've gotten away from the purpose of HIPAA, which is to protect the information but still allow the information to flow where it should.


    Brian: Right. You know, quite honestly, at lease it seems that even more so today maybe than in years past, healthcare is becoming a more consumer-driven industry. A more consumer-driven business.


    Loretta: Right.


    Brian: That being said, like you would with any other product or service, you don't want to make your consumers jump through unnecessary hoops, right?


    Loretta: Correct. That's absolutely correct, and in fact, there was guidance issued by the Office of Civil Rights last year that really talked about covered entities should not be causing unreasonable measures for patients to go through to even get a copy of their own records, because that has also been an issue. You shouldn't make a patient drive into your office to sign a release to get a copy of their medical records. The only obligation for a healthcare provider when releasing information to patient is to verify the patient's identity, but there's nothing in HIPAA that dictates how that has to be done. The discretion is on the practice. They can choose to do that by phone. They can choose to verify a couple pieces of information. They can request that the patient go to their online portal and make a request, but all of those things, as long as the practice is taking reasonable steps to verify the patient's identity, they shouldn't make them jump through hoops. In fact, if they do and a patient files a complaint, they can get in more trouble for that.


    Brian: Wow. One of the questions that I've heard before and have been interested about is someone saying, "Can a physician, a nurse, other staff that works in a hospital or a practice, can they communicate with family or friends involved in that patient's care?" In other words, can my wife go into my medical record and see what's there if she's working at the hospital, for instance?


    Loretta: Okay, well there's a couple of different things here. First, let's address "can a physician's office and staff disclose or communicate with people involved in your care or payment for your care?" If there's a family member involved in your care; for example, I'm involved in my mother's care. I take her to the doctor, I am helping manage her medications. I am clearly involved in her care, however I am not healthcare power of attorney. She is still fine to do that on her own.


    Brian: Sure.


    Loretta: But, if I call the doctor's office and say, "Mom doesn't remember how often she's supposed to take these eye drops. Can you describe that process to me?", they should be able to talk to me without having something signed by my mother.


    Brian: Gotcha.


    Loretta: There is actually guidance, again, from the Office of Civil Rights that states if the patient has either provided their permission, so a lot of practices, when you go to a practice for the first time, you're going to fill out paperwork and it's going to say "who can we talk to about your care?"


    Brian: Right, yes.


    Loretta: That's one easy thing to do, which we've done for my mom. That's easy, but what if she didn't update it? Forgot to put me down as someone? Well the rule even allows the practice to communicate with me even if it's not in writing if, number one, they don't think my mother would object based on past behavior. I'm going to all of her appointments with her, they know me, they know I'm involved with her care. Or, if in their professional judgment, they think it's in the best interest of my mother-


    Brian: Oh okay.


    Loretta: To communicate with me. Again, this is scary for a lot of practices. I have seen practices that have had patients' family members drop them off for an appointment, and then they come to pick them back up, and they won't tell them that they're there. They're afraid to tell them-


    Brian: Really?


    Loretta: They will go to the front desk and say, "Is Mom ready to go?" They're like, "We don't know who your mother is. We can't tell you anything about that."


    Brian: Wow.


    Loretta: See again, that's a fear factor of HIPAA. They know that the individual dropped the patient off. I'm not saying that there shouldn't be protections in place, but I think a lot of this is common sense too.


    Brian: Yeah.


    Loretta: You just kind of got to think about the situation.


    Brian: I guess any time there's some ambiguity there and you're asking people to decipher an opinion based on facts that they see, it makes them a little more nervous. I get that, because the first thing you think of is, "If I tell them that this is their mother that is back here and then their mother didn't want to know that, then here I am going down ..."


    Loretta: Right.


    Brian: That could be a slippery slope, I guess.


    Loretta: Right, and what they could do in that situation is just go ask the patient.


    Brian: Ask her, right.


    Loretta: It goes back to what you were saying about healthcare being consumer-driven now. There's a bit of customer service to this as well-


    Brian: Yeah.


    Loretta: Because if you are saying, "No, I cannot talk to you about anything" and just shut people down, that's a customer service aspect. Let's figure out what we can say and what we can't say. A point that you brought up earlier about employees looking up family members, let's talk about that.


    Brian: Yes, yes. Please do because I hear that question often.


    Loretta: Yes. That comes up quite a bit, and the number one thing I talk about when I do training is, unless you have a work-related reason to access patient information, now I'm talking about physicians, staff, anyone who works in healthcare. Unless you have a work-related reason to use, access, disclose patient information, don't. So, if I'm working at a practice and I know that my brother is coming in later on in the day but my role at that practice has nothing to do with that visit, I don't have a right to just open up his record and take a look at what's been going on.


    Brian: Okay.


    Loretta: I will say, there are some cases where family members are going to be seen at the clinics where employees work, and that employee may be listed on the patient's HIPAA form as someone that can be communicated with-


    Brian: Okay.


    Loretta: But I still don't think it's a good idea for that employee to go straight into the record. I think there needs to be a process, and it needs to be addressed at each practice. "How are we going to handle this?", especially in pediatrics. Think about pediatrics and how many of the employees have children that are patients there-


    Brian: Yes.


    Loretta: But is it a good idea for that employee to constantly be getting in and out of that record without having some check and balance in place?


    Brian: You can get into some pretty sticky issues, certainly if it is maybe a situation where the parents aren't together and you're looking in-


    Loretta: Oh yes.


    Brian: Children's records and those types of things. That could get legally really sticky. You know, you said something and that's a really good point that stuck with me, is even if you have signed an authorization that says it's okay for that person to be notified about my healthcare or any condition-


    Loretta: Right.


    Brian: To bypass going through them to ask, to go straight to the record, that could be harder to explain.


    Loretta: I think so. In the world of electronic records that we have now, every click, every keystroke, everywhere you go in that record, there is a digital footprint. It can potentially raise red flags. There are some software systems that will run behind the scenes and flag any employee accessing another employee's record, employee accessing family members, and those are automatic triggers. Then you're going to have to explain that to either the privacy officer, your office manager, the physician. It's just best, either you need to have a work-related reason, which is fine. If you've got a work-related reason, it's fine.


    Brian: Yes.


    Loretta: If you don't, I believe you need to go through a proper policy for that practice. Something else I wanted to mention while we're talking about communicating with family members or friends involved in the patient's care, we've had a couple of questions recently about, is it a HIPAA violation to allow another person to make a payment on a patient's account?


    Brian: I've heard that as well. You go, "Okay, by them making a payment, do they now have some authorization to be able to get that?"


    Loretta: Right. Again, what I usually tell practices, "If somebody wants to give you money, take it." That's always a good idea-


    Brian: That's a good rule of thumb in life, I think.


    Loretta: Yes, yes. If someone wants to give you money, take it. There is not a HIPAA violation there. Now if somebody calls and says, "I would like to make a payment on my brother's account. Can you tell me the balance?" Again, go back to the guidance that I just talked about. The guidance says if in your professional opinion you believe the patient would not object to that disclosure, then it's permitted. I don't think anybody's going to object to their bill being paid. Now they might-


    Brian: No.


    Loretta: But again, giving the balance, taking the payment, document. Document, document. That's always a good idea.


    Brian: Yes.


    Loretta: Document why you disclosed the balance. Now, are you going to disclose the reason for the visit? No you're not, because that's more than what you need to disclose, but giving a balance in order to get a payment, that's not a HIPAA violation.


    Brian: I'm glad to hear that because I've been asked that myself-


    Loretta: Oh good.


    Brian: And I'm like, "Hmm, I don't know."


    Loretta: Now you know.


    Brian: Now, I do know.


    Loretta: Yes, that's right.


    Brian: As we were talking, it made me think. The big, new thing now is these patient portals. Patient portal, patient portal. You can go and get a tremendous amount of information about yourself.


    Loretta: Mm-hmm (affirmative).


    Brian: Now, it is my opinion that if, for instance, I give my wife or I give my whoever access to my own patient portal and I'm giving them my password or something of that nature, then that is not HIPAA related at all, correct?


    Loretta: That is not on the practice, no. Now the practice should, and in most systems when you create your password or your login, it's going to advise you "keep this information private, this has access to your protected health information," but what you do with it as a patient, just like patients who decide to post their entire medical record online. That's on the patient, not on the practice. Good question.


    Brian: Yeah, because I had heard of people before having a parent, an elderly parent, and they used their mom's or dad's patient portal to kind of keep up with stuff-


    Loretta: Right.


    Brian: And even said, "I wonder if this is a HIPAA violation," but it sounds like as long as they've given you that access to be able to input username and password, you're good.


    Loretta: You're good. Absolutely.


    Brian: HIPAA and HIPAA compliance issues, obviously a huge subject. Join us next time as we continue our discussion with Loretta Duncan regarding HIPAA compliance issues.


    Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect with your host, Brian Fortenberry. Listen to more episodes, subscribe to the podcast, and find show notes at The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and change over time.


The contents of this Podcast are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time. All names have been changed to protect privacy.

About our Guest

Loretta Duncan

Loretta Duncan is a Senior Medical Practice Consultant at SVMIC. She has been with SVMIC since 2008, but has worked in the healthcare industry for the last 20 years. Prior to SVMIC, she served as the Director of Practice Management for the Arkansas Medical Society and as a clinic administrator for an orthopaedic practice. Loretta has provided assistance to physician practices with HIPAA compliance since 2002. Loretta is a board-certified Fellow in the American College of Medical Practice Executives and is currently pursuing a Master of Science in Health Law and Policy from the Cumberland School of Law in Birmingham, Alabama.

About our Host

Brian Fortenberry is Assistant Vice President of Underwriting at SVMIC where he assists in evaluating risk for the company and assisting policyholders with underwriting issues. He has been involved with medical professional liability insurance since 2007. Prior to his work at SVMIC, Brian worked in the clinical side of medicine and in broadcast media.